WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

mend-for-github.aaakk.us.kg · 2023-08-14T22:27:01Z

WS-2017-3772 - High Severity Vulnerability

Vulnerable Library - juice-shopjuice-shop-14.5.1_node16_darwin_x64

Probably the most modern and sophisticated insecure web application

Library home page: https://sourceforge.net/projects/juice-shop/

Found in base branch: main

Vulnerable Source Files (1)

/packages/osd-ui-framework/node_modules/underscore.string/unescapeHTML.js

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-08

Fix Resolution: underscore.string - 3.3.5

manasvinibs · 2023-08-16T21:37:18Z

yarn why underscore.string
yarn why v1.22.19
[1/4] Why do we have the module "underscore.string"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "grunt#[email protected]"
info Reasons this module exists
   - "_project_#grunt#grunt-legacy-util" depends on it
   - Hoisted from "_project_#grunt#grunt-legacy-util#underscore.string"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "444KB"
info Disk size with unique dependencies: "548KB"
info Disk size with transitive dependencies: "548KB"
info Number of shared dependencies: 2
Done in 0.82s.

With the current state in main, package manager is already installing underscore.string to 3.3.6 version as its locked in the yarn.lock file. We will not need additional package.json resolution to bump the version to 3.3.6.

Resolving as we already install suggested fix version.

mend-for-github.aaakk.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 14, 2023

github-actions bot added the untriaged label Aug 14, 2023

AMoo-Miki changed the title ~~WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64~~ WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5 Aug 15, 2023

AMoo-Miki assigned joshuarrrr Aug 15, 2023

AMoo-Miki removed the untriaged label Aug 15, 2023

manasvinibs self-assigned this Aug 15, 2023

manasvinibs mentioned this issue Aug 16, 2023

Bump underscore.string to version 3.3.6 to fix ReDoS vulnerability #4750

Closed

8 tasks

mend-for-github.aaakk.us.kg bot changed the title ~~WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5~~ WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 Aug 16, 2023

manasvinibs closed this as completed Aug 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

mend-for-github.aaakk.us.kg bot commented Aug 14, 2023

manasvinibs commented Aug 16, 2023

WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

Comments

mend-for-github.aaakk.us.kg bot commented Aug 14, 2023

WS-2017-3772 - High Severity Vulnerability

manasvinibs commented Aug 16, 2023